Hide Forgot
Description of problem: Can't use SSH to login the guest without password when SELinux is enforcing Version-Release number of selected component (if applicable): libguestfs-1.32.7-2.el7.x86_64 How reproducible: 100% Steps to Reproduce: 1. Prepare a RHEL guest image: RHEL-Server-7.2-64-hvm.raw2 2. Create a tmp.qcow2 image to record only the differences from backing_file: #qemu-img create -f qcow2 -o backing_file=RHEL-Server-7.2-64-hvm.raw tmp.qcow2 3.Inject your public key and a string to the guest: # virt-sysprep -a tmp.qcow2 --ssh-inject root:file:/root/.ssh/id_rsa.pub --ssh-inject root:string:"ssh-rsa AAtesttesttest" Note: You can also create new emptykey by: # ssh-keygen -f emptykey Press twice, you'll get: Private key : emptkey (used to ssh login with -i) Public key: emtykey.pub (used to instead of /root/.ssh/id_rsa.pub) 4.Boot the guest image , get the ip info, and ssh to it using you own private key: # ssh root@$ip Actual results: Can't use SSH to login the guest without password when SELinux is enforcing. If run the command "setenfoce 0" in guest to change the SELinux mode to permissive, then try to login again without password. It successes. Expected results: Can use SSH to login the guest without password when SELinux is enforcing Additional info: virt-customize has the same problem.
Hi Bin Han, (In reply to Bin Han from comment #0) > 3.Inject your public key and a string to the guest: > # virt-sysprep -a tmp.qcow2 --ssh-inject root:file:/root/.ssh/id_rsa.pub > --ssh-inject root:string:"ssh-rsa AAtesttesttest" As also described in the documentation of virt-sysprep, you need to use --selinux-relabel when editing guests with SELinux enabled, at least with the invocation before the actual boot (in this case it's one, so here). This applies to virt-customize, virt-builder, and virt-sysprep.
As well as doing what Pino says, please try the RHEL 7.3 packages since some other bugs were fixed in both SSH key injection and SELinux relabelling: https://people.redhat.com/~rjones/libguestfs-RHEL-7.3-preview/
(In reply to Richard W.M. Jones from comment #3) > As well as doing what Pino says, please try the RHEL 7.3 packages since > some other bugs were fixed in both SSH key injection and SELinux > relabelling: > > https://people.redhat.com/~rjones/libguestfs-RHEL-7.3-preview/ Ah, I see that you're using these packages or RHEL 7.3 already .. Carry on.
Please check whether using --selinux-relabel works (it should).
(In reply to Pino Toscano from comment #5) > Please check whether using --selinux-relabel works (it should). yes,if relabel the selinux context, it works. Can login without password. The changing steps show below. steps: #chcon -t ssh_home_t /root/.ssh/authorized_keys # ls -Z /root/.ssh/authorized_keys -rw-------. root root system_u:object_r:ssh_home_t:s0 /root/.ssh/authorized_keys
(In reply to Pino Toscano from comment #5) > Please check whether using --selinux-relabel works (it should). I add --selinux-relabel into the command "virt-sysprep --selinux-relabel -a tmp.qcow2 --ssh-inject root:file:/root/.ssh/id_rsa.pub --ssh-inject root:string:"ssh-rsa AAtesttesttest". It works well. It can relabel the selinux context. So the problem isn't a bug ? But I also have anther problem why not set the parameter --selinux-relabel as default setting.
(In reply to Bin Han from comment #7) > (In reply to Pino Toscano from comment #5) > > Please check whether using --selinux-relabel works (it should). > > I add --selinux-relabel into the command "virt-sysprep --selinux-relabel -a > tmp.qcow2 --ssh-inject root:file:/root/.ssh/id_rsa.pub --ssh-inject > root:string:"ssh-rsa AAtesttesttest". It works well. It can relabel the > selinux context. Good thing, thanks for checking. > So the problem isn't a bug ? Indeed, this is not an issue. If you have are modifying a guest with SELinux enabled, you must use --selinux-relabel in the last libguestfs command before you boot it. > But I also have anther problem > why not set the parameter --selinux-relabel as default setting. See bug 1340312, comment 3, for some data points regarding this.